Re: [PATCH] fsnotify: Fix handling of renames in audit

From: Paul Moore
Date: Tue Feb 10 2015 - 19:58:42 EST


On Tuesday, February 10, 2015 04:00:12 PM Jan Kara wrote:
> Commit e9fd702a58c4 (audit: convert audit watches to use fsnotify
> instead of inotify) broke handling of renames in audit. Audit code wants
> to update inode number of an inode corresponding to watched name in a
> directory. When something gets renamed into a directory to a watched
> name, inotify previously passed moved inode to audit code however new
> fsnotify code passes directory inode where the change happened. That
> confuses audit and it starts watching parent directory instead of a file
> in a directory.
>
> This can be observed for example by doing:
> cd /tmp
> touch foo bar
> auditctl -w /tmp/foo
> touch foo
> mv bar foo
> touch foo
>
> In audit log we see events like:
> type=CONFIG_CHANGE msg=audit(1423563584.155:90): auid=1000 ses=2
> op="updated rules" path="/tmp/foo" key=(null) list=4 res=1
> ...
> type=PATH msg=audit(1423563584.155:91): item=2 name="bar" inode=1046884
> dev=08:0
> 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
> type=PATH msg=audit(1423563584.155:91): item=3 name="foo" inode=1046842
> dev=08:0
> 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
> type=PATH msg=audit(1423563584.155:91): item=4 name="foo" inode=1046884
> dev=08:0
> 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
> ...
> and that's it - we see event for the first touch after creating the
> audit rule, we see events for rename but we don't see any event for the
> last touch. However we start seeing events for unrelated stuff happening
> in /tmp.
>
> Fix the problem by passing moved inode as data in the FS_MOVED_FROM and
> FS_MOVED_TO events instead of the directory where the change happens.
> This doesn't introduce any new problems because noone besides
> audit_watch.c cares about the passed value:
> fs/notify/fanotify/fanotify.c cares only about FSNOTIFY_EVENT_PATH events.
> fs/notify/dnotify/dnotify.c doesn't care about passed 'data' value at all.
> fs/notify/inotify/inotify_fsnotify.c uses 'data' only for
> FSNOTIFY_EVENT_PATH. kernel/audit_tree.c doesn't care about passed 'data'
> at all.
> kernel/audit_watch.c expects moved inode as 'data'.
>
> CC: linux-audit@xxxxxxxxxx
> CC: Paul Moore <paul@xxxxxxxxxxxxxx>
> CC: Eric Paris <eparis@xxxxxxxxxx>
> CC: stable@xxxxxxxxxxxxxxx
> Fixes: e9fd702a58c49dbb14481dca88dad44758da393a
> Signed-off-by: Jan Kara <jack@xxxxxxx>
> ---
> include/linux/fsnotify.h | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)

I can confirm this is indeed broken.

Thanks for the patch. I'm building a test kernel as I type this, assuming all
goes well I'll send this to Linus with the other audit patches for v3.20.

--
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/